论文信息 - Network-Based Buffer Overflow Detection by Exploit Code Analysis

Network-Based Buffer Overflow Detection by Exploit Code Analysis

Buffer overﬂow attacks continue to be a major security problem and detecting attacks of this nature is therefore crucial to network security. Signature based network based intrusion detection systems (NIDS) compare network trafﬁc to signatures modelling suspicious or attack trafﬁc to detect network attacks. Since detection is based on pattern matching, a signature modelling the attack must exist for the NIDS to detect it, and it is therefore only capable of detecting known attacks. This paper proposes a method to detect buffer overﬂow attacks by parsing the payload of network packets in search of shellcode which is the remotely executable component of a buffer overﬂow attack. By analysing the shellcode it is possible to determine which system calls the exploit uses, and hence the operation of the exploit. Current NIDS-based buffer overﬂow detection techniques mainly rely upon speciﬁc signatures for each new attack. Our approach is able to detect previously unseen buffer overﬂow attacks, in addition to existing ones, without the need for speciﬁc signatures for each new attack. The method has been implemented and tested for buffer overﬂow attacks on Linux on the Intel x86 architecture using the Snort NIDS.

George M. Mohay | Andrew Clark | Stig Andersson

[1] David Evans,et al. Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[2] Massimo Bernaschi,et al. Operating system enhancements to prevent the misuse of system calls , 2000, CCS.

[3] Christopher Krügel,et al. Accurate Buffer Overflow Detection via Abstract Payload Execution , 2002, RAID.

[4] A. One,et al. Smashing The Stack For Fun And Profit , 1996 .

[5] Martin Roesch,et al. Snort - Lightweight Intrusion Detection for Networks , 1999 .

[6] Ulf Lindqvist,et al. Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[7] Crispan Cowan,et al. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[8] Michael K. Johnson,et al. Linux Application Development , 1998 .

[9] Calton Pu,et al. Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.